CISM - Certified Information Security Manager

Go back to ISACA

Example Questions

Which of the following is the MOST effective solution for preventing individuals external to the organization from modifying sensitive information on a corporate database? Which of the following is MOST effective in preventing the introduction of a code modification that may reduce the security of a critical business application? What is the BEST way to ensure that contract programmers comply with organizational security policies? Which of the following is the MOST important risk associated with middleware in a client-server environment? An organization has been experiencing a number of network-based security attacks that all appear to originate internally. The BEST course of action is to: In designing a backup strategy that will be consistent with a disaster recovery strategy, the PRIMARY factor to be taken into account will be the: The IT function has declared that, when putting a new application into production, it is not necessary to update the business impact analysis (BIA) because it does not produce modifications in the business processes. The information security manager should: Which of the following guarantees that data in a file have not changed? On a company's e-commerce web site, a good legal statement regarding data privacy should include: It is important to develop an information security baseline because it helps to define: Which of the following security activities should be implemented in the change management process to identify key vulnerabilities introduced by changes? The PRIMARY purpose of performing an internal attack and penetration test as part of an incident response program is to identify: What is the BEST policy for securing data on mobile universal serial bus (USB) drives? Senior management commitment and support for information security can BEST be enhanced through: Which of the following is the MOST appropriate method for deploying operating system (OS) patches to production application servers? An unauthorized user gained access to a merchant's database server and customer credit card information. Which of the following would be the FIRST step to preserve and protect unauthorized intrusion activities? Before conducting a formal risk assessment of an organization's information resources, an information security manager should FIRST: What would a security manager PRIMARILY utilize when proposing the implementation of a security solution? An organization has adopted a practice of regular staff rotation to minimize the risk of fraud and encourage crosstraining. Which type of authorization policy would BEST address this practice? When an emergency security patch is received via electronic mail, the patch should FIRST be: The information classification scheme should: After assessing and mitigating the risks of a web application, who should decide on the acceptance of residual application risks? An organization has decided to implement additional security controls to treat the risks of a new process. This is an example of: An organization keeps backup tapes of its servers at a warm site. To ensure that the tapes are properly maintained and usable during a system crash, the MOST appropriate measure the organization should perform is to: Which of the following is the BEST justification to convince management to invest in an information security program? The MAIN goal of an information security strategic plan is to: In addition to backup data, which of the following is the MOST important to store offsite in the event of a disaster? Which of the following is the BEST method to provide a new user with their initial password for e- mail system access? The PRIMARY objective of a risk management program is to: Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if: The PRIMARY objective of security awareness is to: Which would be one of the BEST metrics an information security manager can employ to effectively evaluate the results of a security program? Which of the following would BEST prepare an information security manager for regulatory reviews? A computer incident response team (CIRT) manual should PRIMARILY contain which of the following documents? A web-based business application is being migrated from test to production. Which of the following is the MOST important management signoff for this migration? A risk assessment should be conducted: Which of the following BEST describes an information security manager's role in a multidisciplinary team that will address a new regulatory requirement regarding operational risk? Which of the following devices could potentially stop a Structured Query Language (SQL) injection attack? In assessing risk, it is MOST essential to: There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period? When application-level security controlled by business process owners is found to be poorly managed, which of the following could BEST improve current practices? Which of the following is the MOST important prerequisite for establishing information security management within an organization? The PRIMARY concern of an information security manager documenting a formal data retention policy would be: A business partner of a factory has remote read-only access to material inventory to forecast future acquisition orders. An information security manager should PRIMARILY ensure that there is: Nonrepudiation can BEST be assured by using: An information security program should be sponsored by: The MAIN reason for having the Information Security Steering Committee review a new security controls implementation plan is to ensure that: What is the BEST way to ensure users comply with organizational security requirements for password complexity? Which of the following is the BEST approach for an organization desiring to protect its intellectual property? The PRIMARY consideration when defining recovery time objectives (RTOs) for information assets is:

Study Guides